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1 Introduction 



In this paper, we explore the problem of iterative approximate Byzantine consensus in ar- 
bitrary directed graphs. In particular, we prove a necessary and sufficient condition for the 
existence of iterative Byzantine consensus algorithms. Additionally, we use our sufficient 
condition to examine whether such algorithms exist for some specific graphs. 

Approximate Byzantine consensus [5] is a natural extension of original Byzantine Gener- 
als (or Byzantine consensus) problem [S] . The goal in approximate consensus is to allow the 
fault-free nodes to agree on values that are approximately equal to each other. There exist 
iterative algorithms for the approximate consensus problem that work correctly in fully con- 
nected graphs [HI [12] when the number of nodes n exceeds 3/, where / is the upper bound on 
the number of failures. In [BJ, Fekete studies the convergence rate of approximate consensus 
algorithms. Ben-Or et al. develop an algorithm based on Gradcast to solve approximate 
consensus efficiently in a fully connected network [3]. 

There have been attempts at achieving approximate consensus iteratively in partially 
connected graphs. In [5], Kieckhafer and Azadmanesh examined the necessary conditions in 
order to achieve "local" convergence and performed a case study on global convergence in 
some special graphs. Later, they extended their work to asynchronous systems [2]. In [I], 
Azadmanesh et al. showed how to build a special network, called Partially Fully Connected 
Network, in which global convergence is achieved. Srinivasan and Azadmanesh studied 
the application of iterative approximate consensus in data aggregation, and developed an 
analytical approach using Markov chains [T3| [H] . 

In [TB], Sundaram and Hadjicostis explored Byzantine-fault tolerant distributed function 
calculation in an arbitrary network assuming a broadcast model. Under the broadcast model, 
every transmission of a node is received by all its neighbors. Hence, faulty nodes can send 
false data, but they have to send exactly the same piece of data to all their neighbors. They 
proved that distributed function calculation is possible if network connectivity is at least 
2f + 1. Their algorithm maintains more "history" (a sequence of previous states) than the 
iterative algorithms considered in this paper. 

In [18], Zhang and Sundaram studied the sufficient conditions for iterative consensus 
algorithm under "f-local" fault model. They also provided a construction of graphs satisfying 
the sufficient conditions. 

LeBlanc and Koutsoukos [10] address a continuous time version of the Byzantine con- 
sensus problem in complete graphs. Recently, for the broadcast model, LeBlanc et al. have 
independently developed necessary and sufficient conditions for /-fault tolerant approximate 
consensus in arbitrary graphs [T7]; in [11] they have developed some sufficient conditions for 
correctness of a class of iterative consensus algorithms. 

To the best of our knowledge, characterization of tight necessary and sufficient conditions 
for iterative approximate consensus in arbitrary directed graphs in the presence of Byzantine 
faults under point-to-point model is still an open problem. Iterative approximate consensus 
algorithms without any fault tolerance capability (i.e., / = 0) in arbitrary graphs have been 
explored extensively. The proof of convergence presented in this paper is inspired by the 
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prior work on non-fault-tolerant algorithms [3]. 

2 Preliminaries 

2.1 Network Model 

The network is modeled as a simple directed graph G(V, £), where V = {1, . . . , n} is the set 
of n nodes, and £ is the set of directed edges between nodes in V. We use the terms "edge" 
and "link" interchangeably. We assume that n > 2, since the consensus problem for n = 1 
is trivial. If a directed edge G £, then node i can reliably transmit to node j. For 

convenience, we exclude self-loops from £, although every node is allowed to send messages 
to itself. We also assume that all edges are authenticated, such that when a node j receives 
a message from node i (on edge it can correctly determine that the message was sent 

by node i. For each node i, let be the set of nodes from which % has incoming edges. 
That is, Nf — {j | (j, i) G £ }. Similarly, define as the set of nodes to which node i 
has outgoing edges. That is, = {j \ G £ }. By definition, i G" N[~ and i G" N*. 

However, we emphasize that each node can indeed send messages to itself. The network is 
assumed to be synchronous. 

2.2 Failure Model 

We consider the Byzantine failure model, with up to / nodes becoming faulty. A faulty node 
may misbehave arbitrarily. Possible misbehavior includes sending incorrect and mismatching 
messages to different neighbors. The faulty nodes may potentially collaborate with each 
other. Moreover, the faulty nodes are assumed to have a complete knowledge of the state of 
the other nodes in the system and a complete knowledge of specification of the algorithm. 

2.3 Iterative Approximate Byzantine Consensus 

We consider iterative Byzantine consensus as follows: 

• Up to / nodes in the network may be Byzantine faulty. 

• Each node starts with an input, which is assumed to be a single real number. 

• Each node i maintains state t>j, with Vi[t] denoting the state of node i at the end of 
the t-th iteration of the algorithm. Vi[0] denotes the initial state of node i, which is 
set equal to its input. Note that, at the start of the t-th iteration (t > 0), the state of 
node i is Vi[t — 1]. 

• The goal of an approximate consensus algorithm is to allow each node to compute an 
output in each iteration with the following two properties: 
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— Validity: The output of each node is within the convex hull of the inputs at the 
fault-free nodes. 

— Convergence: The outputs of the different fault-free nodes converge to an iden- 
tical value as t — > oo. 

• Output constraint: For the family of iterative algorithms considered in this paper, 
output of node i at time t is equal to its state Vi[t]. 

The iterative algorithms will be implemented as follows: 

• At the start of t-th iteration, t > 1, each node i sends Vi[t — 1] on all its outgoing links 
(to nodes in Nf). 

• Denote by r{[t] the vector of values received by node i from nodes in Nf at time t. 
The size of vector rjt] is \N~\. 

• Node i updates its state using some transition function Zj as follows, where is part 
of the specification of the algorithm: 



Since the inputs are real numbers, and because we impose the above output constraint, 
the state of each node in each iteration is also viewed as a real number. 

The function Zi may be dependent on the network topology. However, as seen later, for 
convergence, it suffices for each node % to know N~ . 

Observe that, given the state of the nodes at time t— 1, their state at time t is independent 
of the prior history. The evolution of the state of the nodes may, therefore, be modeled by 
a Markov chain (although we will not use that approach in this paper). 

We now introduce some notations. 

• Let J 7 denote the set of Byzantine faulty nodes, where \J-\ < f. Thus, the set of 



• U[t] = max ieV -^ Vi[t]. U[t] is the largest state among the fault-free nodes (at time t). 
Recall that, due to the output constraint, the state of node % at the end of iteration t 
(i.e., Vi[t\) is also its output in iteration t. 

• fi[t] = minjgv-J 7 Vi[t\- fJ>[t] is the smallest state among the fault-free nodes at time t 
(we will use the phrase "at time t" interchangeably with "at the end of t-th iteration"). 



With the above notation, we can restate the validity and convergence conditions as follows: 
• Validity: Vt > 0, U[t] < U[0] and p[t] > //[0] 



1 For sets X and Y, X — Y contains elements that are in X but not in Y. That is, X — Y = {i | i e 



v i [t]=Z i (r i [t],v i [t-l]) 




X, i^Y}. 
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• Convergence: Hindoo U[t] — //[t] = 

The output constraint and the validity condition together imply that the iterative algo- 
rithms of interest do not maintain a "sense of time" . In particular, the iterative computation 
by the algorithm, as captured in functions Zi, cannot explicitly take the elapsed time (or t) 
into account J§ Due to this, the validity condition for algorithms of interest here becomes: 

Validity: Vt > 0, U[t] < U[t - 1] and fi[t] > fi[t - 1] 

In the discussion below, when we refer to the validity condition, we mean (flj) . 

For illustration, below we present Algorithm 1 that satisfies the output constraint. The 
algorithm has been proved to achieve validity and convergence in fully connected graphs with 
n > 3/ [21 [12]. We will later address correctness of this algorithm in arbitrary graphs. 
Here, we assume that each node v £ V has at least 2f incoming links. That is |A~| > 2/. 
Later, we will show that there is no iterative Byzantine consensus if this condition does not 
hold. 



Algorithm 1 

Steps that should be performed by each node i £ V in the t-th iteration are as follows. Note 
that the faulty nodes may deviate from this specification. Output of node i at time t is Vi[t]. 

1. Transmit current state Vi[t — 1] on all outgoing edges. 

2. Receive values on all incoming edges (these values form vector r,[t] of size | iV^ - 1 ) . 

3. Sort the values in ri[t] in an increasing order, and eliminate the smallest / values, and 
the largest / values (breaking ties arbitrarily). Let N*[t] denote the identifiers of nodes 
from whom the remaining N~ — 2f values were received, and let Wj denote the value 
received from node j £ N*. Then, \N*[t}\ = \Nf\ - 2f. By definition, % £" N*[t}. Note 
that if j £ {i} U N*[t] is fault-free, then Wj = Vj[t — 1]. Define 

Vi[t) = Zi(ri[t),Vi[t - 1]) = 2J a i w 3 ( 2 ) 

je{i}uN*[t] 

where 



IATI+1-2/ 

The "weight" of each term on the right side of (j5J) is a i; and these weights add to 1. 
Also, < di < 1. For future reference, let us define a as: 

a = min a< (3) 



2 In a practical implementation, the algorithm may keep track of time, for instance, to decide to terminate 
after a certain number of iterations. 



3 Necessary Condition 



For an iterative Byzantine approximate consensus algorithm satisfying the output constraint, 
the validity condition, and the convergence condition to exist, the underlying graph G(V,S) 
must satisfy a necessary condition proved in this section. We now define relations =>- and ^ 
that are used frequently in our proofs. 

Definition 1 For non-empty disjoint sets of nodes A and B, A =>- B iff there exists a node 
v G B that has at least f + 1 incoming links from nodes in A, i.e., \N~ DA\>f. 
A=f> B iff A^ B is not true. 



Theorem 1 Let sets F, L, C, R form a partition^ of V, such that 

• 0<\F\<f, 

• < \L\, and 

• < \R\ 

Then, at least one of the two conditions below must be true. 
• CUR^L 

• LUC ^R 

Proof: The proof is by contradiction. Let us assume that a correct iterative consensus 
algorithm exists, and CUR ^ L and LUC ^ R. Thus, for any i G L, \Nfn(CuR)\ < f+1, 
and j G R, \N~ PI (L U C)| < / + 1, Figure [1] illustrates the sets used in this proof. 

Also assume that the nodes in F (if F is non-empty) are all faulty, and the remaining 
nodes, in sets L, R, C, are fault-free. Note that the fault-free nodes are not necessarily aware 
of the identity of the faulty nodes. 

Consider the case when (i) each node in L has input m, (ii) each node in R has input 
M, such that M > m, and (iii) each node in C, if C is non-empty, has an input in the range 
[m,M). 

At the start of iteration 1, suppose that the faulty nodes in F (if non-empty) send 
vrC < m to nodes in L, send M + > M to nodes in R, and send some arbitrary value in 
[m, M] to the nodes in C (if C is non-empty). This behavior is possible since nodes in F are 
faulty. Note that m~ < m < M < M + . Each fault-free node k G V — J 7 , sends to nodes in 
iV^ value ffc[0] in iteration 1. 

3 Sets Xx, X2, X3, X p are said to form a partition of set X provided that (i) L>x<i< P Xi = X and 
Xi nl 3 = $ when i ^ j. 



6 




Figure 1: Illustration for the proof of Theorem [TJ In this figure, CU R =f> L and LUC 7^ R. 

Consider any node % G L. Denote N'(i) = Nr n (C U i?). Since CUR^ L, \N'(i)\ < f. 
Node i will then receive m~ from the nodes in F D A"~, and values in [m, M] from the nodes 
in N'(i), and m from the nodes in {i} U (L fl A^~). 

Consider four cases: 

• .F and A^'(i) are both empty: In this case, all the values that i receives are from nodes 
in {i} U (L n iVj~), and are identical to m. By validity condition (CQ), node i must set 
its new state, Vi[l], to be m as well. 

• F is empty and N'{i) is non-empty: In this case, since |iV'(z)| < /, from z's perspective, 
it is possible that all the nodes in N'{i) are faulty, and the rest of the nodes are fault- 
free. In this situation, the values sent to node i by the fault-free nodes (which are all 
in {i} U (In Nf)) are all m, and therefore, Vi[l] must be set to m as per the validity 
condition ([1]). 

• F is non-empty and N'{i) is empty: In this case, since \F\ < f, it is possible that all 
the nodes in F are faulty, and the rest of the nodes are fault-free. In this situation, 
the values sent to node i by the fault-free nodes (which are all in {i} U (L fl N~)) are 
all m, and therefore, t>j[l] must be set to m as per the validity condition ([1]). 

• Both F and N'(i) are non-empty: From node i's perspective, consider two possible 
scenarios: (a) nodes in F are faulty, and the other nodes are fault-free, and (b) nodes 
in N'{i) are faulty, and the other nodes are fault-free. 

In scenario (a), from node i's perspective, the non-faulty nodes have values in [m, M] 
whereas the faulty nodes have value vrC . According to the validity condition ([[]), 
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V:\l\ > m. On the other hand, in scenario (b), the non-faulty nodes have values m~ 
and m, where m~ < m; so ujl] < m, according to the validity condition (JT]). Since 
node z does not know whether the correct scenario is (a) or (b), it must update its 
state to satisfy the validity condition in both cases. Thus, it follows that Vi[l] = m. 

Observe that in each case above i>j[l] = m for each node i G L. Similarly, we can show that 
Vj [1] = M for each node j G R. 

Now consider the nodes in set C, if C is non-empty. All the values received by the nodes 
in C are in [m, M], therefore, their new state must also remain in [m, M], as per the validity 
condition. 

The above discussion implies that, at the end of the first iteration, the following conditions 
hold true: (i) state of each node in L is m, (ii) state of each node in R is M, and (iii) state 
of each node in C is in [m, M] . These conditions are identical to the initial conditions 
listed previously. Then, by induction, it follows that for any t > 0, Vi[t] = m,Wi G L, and 
Vj[t] = M, Vj G R. Since L and R contain fault-free nodes, the convergence requirement is 
not satisfied. This is a contradiction to the assumption that a correct iterative algorithm 
exists. □ 



Corollary 1 Let {F,L,R} be a partition ofV, such that < \F\ < f , and L and R are 
non-empty. Then, either L R or R =^ L. 

Proof: The proof follows by setting C = $ in Theorem [TJ □ 



While the two corollaries below are also proved in prior literature j7], we derive them 
again using the necessary condition above. 

Corollary 2 The number of nodes n must exceed 3f for the existence of a correct iterative 
consensus algorithm tolerating f failures. 

Proof: The proof is by contradiction. Suppose that 2 < n < 3f, and consider the following 

two cases: 

• 2 < n < 2f: Suppose that L,R,F is a partition of V such that \L\ = \n/2] < f, 
\R\ = \n/2\ < f and F = $. Note that L and R are non-empty, and \L\ + \R\ = n. 

• 2f < n < 3f: Suppose that L,R,F is a partition of V, such that \L\ = \R\ = f and 
\F\=n- 2f. Note that < |F| < /. 

In both cases above, Corollary [T] is applicable. Thus, either L R or R L. For L =>■ R 
to be true, L must contain at least / + 1 nodes. Similarly, for R => L to be true, R must 
contain at least / + 1 nodes. Therefore, at least one of the sets L and R must contain more 
than / nodes. This contradicts our choice of L and R above (in both cases, size of L and R 
is < /). Therefore, n must be larger than 3/. □ 
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Corollary 3 When f > 0, for each node ieV, | > 2f + 1, i.e., each node i has at least 
2f + 1 incoming links. 

Proof: The proof is by contradiction. Suppose that for some node i, \N~\ < 2f. Define 
set L = {i}. Partition N~ into two sets F and H such that \H\ = \_\Nf\/2\ < f and 
\F\ = \\Nr\/2] < f. Define R=V-F-L=V-F- {i}. Thus, Nr n R = H, 
and \N~ D R\ < f. Therefore, since L = {i} and |A^ _ D R\ < f , R ^> L. Also, since 
|L| = 1</+1, L&R. 

This violates Corollary [TJ □ 

4 Useful Lemmas 

Definition 2 For disjoint sets A, B, in(A B) denotes the set of all the nodes in B that 
each have at least f + 1 incoming links from nodes in A. More formally, 

in(A =>■ B) = { v \v G B and / + 1 < \N~ n A\ } 
With a slight abuse of notation, when A ^ B, define in(A B) = $. 



Definition 3 For non-empty disjoint sets A and B, set A is said to propagate to set B in 

I steps, where I > 0, if there exist sequences of sets A , Ai, A 2 , ■ ■ ■ ,Ai and B , B Xl B 2 , ■ ■ ■ ,B t 
(propagating sequences) such that 

• A = A, B = B, Bi = $ ; and, for r < I, B T ^ <E>. 

• for < r < I - 1, 

* A T =r- B T , 

* A T+ i = A T U in(A T =^ B T ), and 

* B T+1 = B T - in(A T B T ) 

Observe that A T and B T form a partition of A U B, and for r < I, in(A T B T ) ^ $. Also, 
when set A propagates to set B, length I above is necessarily finite. In particular, / is upper 
bounded by n — f — 1, since set A must be of size at least / + 1 for it to propagate to B. 



Lemma 1 Assume that G(V, £) satisfies Theorem^ Consider a partition A, B,F ofV such 
that A and B are non-empty, and \F\ < f. If B A, then set A propagates to set B. 
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Proof: Since A, B are non-empty, and B ^4- A, by Corollary [I] we have A=> B. 

The proof is by induction. Define A Q = A and B Q = B. Thus v4 =>■ i? and i?o 7^ A . 
Note that v4o and Bq are non-empty. 

Induction basis: For some r > 0, 

• for < k < t, A k B k , and B k ^ $, 

• either B T = $ or A T =>- B T , 

• for < k < r, A k+1 = A k U in(A k =^ B k ), and Efc+i = B k - in(A k B k ) 
Since A =>■ B Q , the induction basis holds true for r = 0. 

Induction: If B T = $, then the proof is complete, since all the conditions specified in 
Definition [3] are satisfied by the sequences of sets A , A\, ■ ■ ■ ,A T and B Q , Bi, • ■ • , B T . 



V- F 




Figure 2: Illustration for the proof Lemma HJ In this figure, B ^> A Q and A T+ i 7^ B T+ i 

Now consider the case when B T 7^ $. By assumption, A k =>- B k , for < k < r. Define 
A T+ \ = A T U in(A T =>- B T ) and B T+ \ = B T — in(A T =>• B T ). Our goal is to prove that either 
B T+ i = $ or A T+ i =>- B T+ i. If B T+ i = $, then the induction is complete. Therefore, now let 
us assume that B T+ i 7^ <3> and prove that A T+ i =>• B T+ i. We will prove this by contradiction. 

Suppose that A T+ i 7^ B T+ \. Define subsets L,C,R as follows: L = A Q , C = A T+ i — A 
and R = B T+ \. Figure [2] illustrates the sets used in this proof. Due to the manner in which 
A k s and B k s are defined, we also have C = B Q — B T+ \. Observe that L,C,R,F form a 
partition of V, where L, R are non-empty, and the following relationships hold: 
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• C U R = B , and 

• L U C = A T+1 

Rewriting B 7^ A and A T+ i 7^ B T+ i, using the above relationships, we have, respectively, 

CUR^L, 

and 

LUC ^ R 

This violates the necessary condition in Theorem [U This is a contradiction, completing the 
induction. 

Thus, we have proved that, either (i) B T+ i = $, or (ii) A T+1 =>- B T+1 . Eventually, for 
large enough t, B t will become $, resulting in the propagating sequences A , Ax, ■ ■ • ,A t and 
B , Bi, ■ ■ ■ ,B t , satisfying the conditions in Definition [3j Therefore, A propagates to B. 

□ 



Lemma 2 Assume that G(V,S) satisfies Theorem^ For any partition A, B,F ofV, where 
A,B are both non-empty, and \F\ < f, at least one of the following conditions must be true: 

• A propagates to B, or 

• B propagates to A 

Proof: Consider two cases: 

• A 7^ B: Then by Lemma (TJ B propagates to A, completing the proof. 

• A B: In this case, consider two sub-cases: 

— A propagates to B: The proof in this case is complete. 

— A does not propagate to B: Thus, propagating sequences defined in Definition [3] 
do not exist in this case. More precisely, there must exist k > 0, and sets 
Aq, Ai, ■ ■ ■ ,Ak and B , Bi, • • • , B^, such that: 

* Aq = A and Bq = B, and 

* for < % < k- 1, 

o Ai B u 

o A i+ i = Ai U in(Ai =^ BA, and 
o B i+1 = B { - in(Ai =>• B { ). 

* B k ^ $ and A k ^ B k . 
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The last condition above violates the requirements for A to propagate to B. 

Now Ak 7^ $, Bk 7^ and Ak,Bk,F form a partition of V. Since 7^ Bk, by 
Lemma [U propagates to A^. 

Since -B^ C B = B, A C A&, and .6*. propagates to A&, it should be easy 
to see that -B propagates to A. The proof is presented in the Appendix [B] for 
completeness. 

□ 



5 Sufficiency 

We prove that the necessary condition in Theorem [1] is sufficient. In particular, we will prove 
that Algorithm 1 satisfies validity and convergence conditions when the necessary condition 
is satisfied. 

In the discussion below, assume that graph G(V, S) satisfies TheoremHJ and that J 7 is the 
set of faulty nodes in the network. Thus, the nodes in V — J 7 are fault-free. Since Theorem [1] 
holds for G(V,£), all the subsequently developed corollaries and lemmas in Sections [3] and 
I also hold for G{V,£). 

Theorem 2 Suppose that G(V,£) satisfies Theorem^ Then Algorithm 1 satisfies the va- 
lidity condition (Tjp. 

Proof: Consider the t-th iteration, and any fault-free node i G V — J 7 . Consider two cases: 

• / = 0: In 02]), note that Vi[t] is computed using states from the previous iteration at 
node i and other nodes. By definition of — 1] and Z7[£— 1], 1] G \jJ>[t— 1], U[t— 1]] 
for all fault-free nodes j G V - J. Thus, in this case, all the values used in computing 
Vi[t] are in the range [fi[t — 1], U[t — 1]]. Since Vi[t] is computed as a weighted average 
of these values, Vi[t) is also within — 1], U[t — 1]]. 

• / > 0: By Corollary [31 \Nf\ > 2/ + 1, and therefore, |rj[t]| > 2/ + 1. When computing 
set N*[t], the largest / and smallest / values from rjt] are eliminated. Since at 
most / nodes are faulty, it follows that, either (i) the values received from the faulty 
nodes are all eliminated, or (ii) the values from the faulty nodes that still remain are 
between values received from two fault-free nodes. Thus, the remaining values in n\t] 
(vj[t - 1], Vj G N*[t}) are all in the range [/i[t - l],U[t - 1]]. Also, Vi[t - 1] is in 
[ji[t — 1], U[t — 1]], as per the definition of //[£ — 1] and U[t — 1]. Thus Vi[t] is computed 
as a weighted average of values in [p,[t — 1], U[t — 1]], and, therefore, it will also be in 
[ti[t-l},U[t-l}}. 

Since Vz G V — J 7 , Vi[t] G [ji[t — 1], U[t — 1]], the validity condition (TI]) is satisfied. □ 
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Lemma 3 Consider node i G V — T . Let if) < fi[t — 1]. Then, for j G {i} U -/V"*[t] 7 

Vi[t] -ip>a, t (wj - if)) 
Specifically, for fault- free j G {i} U N*[t], 

Vi[t) -ip>di (Vj[t - 1] -tp) 

Proof: In fl2]), for each j G N*[t], consider two cases: 

• Either j = % or j G -/V*[t] fl (V — J 7 ): Thus, j is fault-free. In this case, Wj = Vj[t — 1]. 
Therefore, fx[t - 1] < < C/[t - 1]. 

• j is faulty: In this case, / must be non-zero (otherwise, all nodes are fault-free). From 
Corollary|3l \N~\ > 2/ + 1. Then it follows that, in step 2 of Algorithm 1, the smallest 
/ values in ri[t] contain the state of at least one fault-free node, say k. This implies 
that Vk[t — 1] < Wj. This, in turn, implies that fi[t — 1] < Wj. 

Thus, for all j G {i} U we have — 1] < Wj. Therefore, 

wj - if) > for all j G {i} U iV* [t] (4) 

Since weights in Equation [2] add to 1, we can re-write that equation as, 

Vi[t)-if> = 2j ai(wj-ip) (5) 

j6{i}UJV*W 

> Oj (tWj - Vj G {2} U iV/ft] from (SJ) 
For non-faulty j G {?} U iV* [t] , Wj = Vj[t — 1], therefore, 

Vi[t)-ip > ai(vj[t-l]-V) (6) 

□ 

Lemma 4 Consider node i G V — J 7 . Lei \& > [/[£ — 1]. TTien, /or j G {i} U iV*[i] ; 

* - Vi[t] > a t (V-Wj) 
Specifically, for fault-free j G {i} U N*[t], 

V-Vi[t] >CLi (p- Vj [t-l]) 

The proof of Lemma H] is similar to that of Lemma [3] The proof is presented in Appendix 
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The lemma below uses parameter a defined in (Q. 

Lemma 5 At time s (i.e., at the end of the s-th iteration), suppose that the fault- free nodes 
in V — T can be partitioned into non-empty sets R,L such that (i) R propagates to L in I 
steps, and (ii) the states of nodes in R are confined to an interval of length < ^MzHM. Then, 

U[s + 1} - fi[s + l]<(l-^\ (U[s\ - //[*]) (7) 

Proof: Since R propagates to L, as per Definition[3j there exist sequences of sets Ro, R±, ■ ■ ■ ,Ri 
and L , Li, - ■ ■ ,Li, where 

• R = R, L = L, Li = $, for < r < /, L T ^ $, and 

• for < r < I - 1, 

* R T+1 = R T U in(R T =^ L T ), and 

* L T+1 = L T - in(R T =^ L T ) 

Let us define the following bounds on the states of the nodes in R at the end of the s-th 
iteration: 

M = maXj(zR Vj[s] (8) 
m = minj & R Vj[s] (9) 

By the assumption in the statement of Lemma [SI 

M — m < U[S] ~ ^1 (10) 

Also, M < U[s] and m > fi[s]. Therefore, U[s] - M > and m - /i[s] > 0. 

The remaining proof of Lemma [5] relies on derivation of the three intermediate claims 
below. 



Claim 1 For < r < /, for each node % G R T , 

Vi[s + r] - fj,[s] > a T (m - /x[s]) (11) 
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Proof of Claim [IJ- The proof is by induction. 

Induction basis: For some r, < r < I, for each node i £ R T , (fTTj) holds. By definition 
of m, the induction basis holds true for r = 0. 

Induction: Assume that the induction basis holds true for some r, < r < I. Consider R T +\- 
Observe that R T and R T +i — R T form a partition of -R r +i; let us consider each of these sets 
separately. 

• Set R T : By assumption, for each i £ R T , ( JTTT) holds true. By validity of Algorithm 1, 
/i[s] < fi[s + t]. Therefore, setting ip = fi[s] in Lemma El we get, 

Vi[s + T+ 1] - fJ,[s] > CLi (Vi[s + T] - fl[s\) 

> a,i a T {m — fi[s]) due to (fTTj) 

> a T+1 (m-//[s]) due to © 

• Set R T+ \ — R T : Consider a node i £ R T+ \ — R T . By definition of R T+ i, we have that 
i £ in(R T =>- L T ). Thus, 

lA^-n^l >/ + i 

In Algorithm 1, 2f values (/ smallest and / largest) received by node % are eliminated 
before vj\s + r + 1] is computed at the end of (s + r + l)-th iteration. Consider two 
possibilities: 

— Value received from one of the nodes in R R T is not eliminated. Suppose that 
this value is received from fault-free node p £ Nf fl R T . Then, by an argument 
similar to the previous case, we can set ip = p,[s] in Lemma [31 to obtain, 

vt[s + r + 1] - fj,[s] > a,i (v p [s + t] - n[s\) 

> a,i a T (m — fi[s}) due to (fTTj) 

> a r+1 (m- fi[s]) due to© 

— Values received from all (there are at least / + 1) nodes in N~ dRr are eliminated. 
Note that in this case / must be non-zero (for / = 0, no value is eliminated, as 
already considered in the previous case). By Corollary [31 we know that each node 
must have at least 2f + 1 incoming edges. Since at least / + 1 values from nodes 
in N~ n R T are eliminated, and there are at least If + 1 values to choose from, it 
follows that the values that are not eliminated3 are within the interval to which 
the values from N~C\R T belong. Thus, there exists a node k (possibly faulty) from 
whom node i receives some value Wk - which is not eliminated - and a fault-free 
node p £ N~ fl R T such that 

v p [s + t] < w k (12) 

At least one value received from the nodes in N~ is not eliminated, since there are 2/ + 1 incoming 
edges, and only 2/ values are eliminated. 
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Then by setting ip = fi[s] in Lemma [3] we have 

Vi[s + r + 1] - fi[s] > di (wk - n[s]) 

> a, (v p [s + t] — fi[s}) due to (JT5 

> a, a r (m — /x[s]) due to (TTTT) 

> a: T+1 (m - fi[s]) due to© 

Thus, we have shown that for all nodes in R T +i, 

Vi[s + r + 1] - (ji[s] > a T+1 (m - fj,[s)) 
This completes the proof of Claim [TJ 



Claim 2 For each node i G V — T , 

Vi[s + I] - n[s] > a\m - /i[s]) (13) 

Proof of Claim Hi- 
Notice that by definition, Ri = V — J 7 . Then the proof follows by setting r = I in the 
above Claim [TJ 



By a procedure similar to the derivation of Claim [2] above, we can also prove the claim 
below. The proof of Claim [3] is presented in the Appendix for completeness. 

Claim 3 For each node i G V — T ' , 

U[s] —Vi[s + l] > a l (U[s] — M) (14) 



Now let us resume the proof of the Lemma El Note that Ri = V — J 7 . Thus, 

U\s + I] = max v;\s + I] 

< U[s] - a l (U[s] -M) by (jUJ) (15) 

and 

u\s + I] = min vAs + I] 

> n[s] + a?(m-n[s]) by <^> (16) 
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Subtracting (TT6|) from (|T5]) . 

C/[s + I] - //[s + I] < U[s] - a l (U[s] — M) - fi[s] - a l (m — fi[s\) 

= (1 -a l )(U[s] -fj.[s]) + a\M-m) (17) 

< (l-a l )(U[s]-fi[s]) + a l hjm (i 8 ) 



a 1 



< (l-y)(^W-A*W) (19) 
This concludes the proof of Lemma |5j □ 



Theorem 3 Suppose that G(V,£) satisfies Theorem^ Then Algorithm 1 satisfies the con- 
vergence condition. 

Proof: Our goal is to prove that, given any e > 0, there exists r such that 

U[t) - n[t] < e Vt > r (20) 

Consider s-th iteration, for some s > 0. If U[s] — /i[s] = 0, then the algorithm has already 
converged, and the proof is complete, with r = s. 

Now consider the case when U[s] — /x[s] > 0. Partition V — T into two subsets, A 

and B, such that, for each node i 6 A, Vi[s] G fi[s], ^M^fl V and for each node j G B, 

G ^M+^M ; ^/[g] . By definition of /x[s] and U[s], there exist fault-free nodes i and j 

such that Vi[s] = fi[s] and Vj[s] = U[s], Thus, sets A and B are both non-empty. By Lemma 
El one of the following two conditions must be true: 

• Set A propagates to set B. Then, define L = B and R — A. The states of all the 
nodes in R = A are confined within an interval of length < ^Mii^M — < ^Mz£M. 

• Set B propagates to set A. Then, define L = A and R = B. In this case, states of all the 
nodes in R = B are confined within an interval of length < U[s] — ^M±jflf] < £M_eM.^ 

In both cases above, we have found non-empty sets L and R such that (i) L, R is a partition 
of V — J 7 , (ii) R propagates to L, and (hi) the states in R are confined to an interval of length 
< ^bHM. Suppose that R propagates to L in l(s) steps, where l(s) > 1. By Lemma 

U[s + l(s)] - y[8 + l(s)) < (l - (U[a) - /![«]) (21) 

Since n - f - 1 > l(s) > 1 and < a < 1, < - ^) < 1. 
Let us define the following sequence of iteration indices^]: 

5 Without loss of generality, we assume that U[n] — /i[rj] > 0. Otherwise, the statement is trivially true 
due to the validity shown in Theorem [2l 
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• TO = 0, 

• for i > 0, Tj = Tj_! + Z(rj_i), where l(s) for any given s was defined above. 

By repeated application of the argument leading to (ED), we can prove that, for i > 0, 



c/N - /^N < ( m =1 1 i - ) ) (u[o] - n[o\) (22) 



For a given e, by choosing a large enough i, we can obtain 



n} =1 (i —J ] (f/[o]-/i[o])< e 

and, therefore, 

U[n] - n[n] < e (23) 
For t > Tj, by validity of Algorithm 1, it follows that 

U[t] - n[t] < U[n] - fi[n] < e 

This concludes the proof. □ 

6 Applications 

In this section, we use the results in the previous sections to examine whether iterative 
approximate Byzantine consensus algorithm exists in some specific networks. 

6.1 Core Network 

Graph G(V, £) is said to be undirected iff G £ implies that (j, i) G £. We now define a 
class of undirected graphs, named core network. 

Definition 4 Core Network: A graph G(V,£) consisting of n > 3f nodes is said to be a 
core network if the following properties are satisfied: (i) it includes a clique formed by nodes 
in K C V, such that \K\ = 2f + 1, as a subgraph and, (ii) each node i (jL K has links to all 
the nodes in K. That is, (i) V i,j G K, (i,j) G £ and G £ , and (ii) V v G V — K , and 
V u G K, (v,u) G £ and (u,v) G £ . 

It is easy to show that a core network satisfies the necessary condition in Theorem [TJ 
Therefore, Algorithm 1 achieves approximate consensus in such network. We conjecture that 
a core network with n — 3/ + 1 has the smallest number of edges possible in any undirected 
network of 3/ + 1 nodes for which an iterative approximate consensus algorithm exists. 
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(a) (b) 

Figure 3: (a) 3-dimensional cube, (b) 3-dimensional cube redrawn to illustrate the partitions 
{0,1,2,3} and {4,5,6,7}. 

6.2 Hypercube 

If the conensus algorithms are not required to satisfy the consatraints imposed on iterative 
algorithms in this paper, then it is known that conensus can be achieved in undirected graphs 
with connectivity > 2f [12]. However, connectivity of 2f + 1 by itself is not sufficient for 
iterative algorithms of interest in this paper. For example, a <i-dimensional binary hypercube 
is an undirected graph consisting of 2 d nodes and has connectivity d. However, a cut of this 
graph that removes edges along any one dimension fails to satisfy the necessary condition 
in Theorem (TJ since each node has exactly one edge that belongs to the cut. Thus, each 
node in one part of the partition is neighbor to fewer than / + 1 nodes in the other part, 
for any / > 1. Figure [3] illustrates such a partition for a 3-dimensional binary cube. Each 
undirected link in the figure represents two directed edges, namely, and (J,i). 

6.3 Chord Network 

A chord network is a directed graph defined as follows. This network is similar but not 
identical to the network in [15]. 

Definition 5 Chord network: A graph G(V,S) consisting of n > 3f nodes is said to be a 
chord network if (i) V = {0, 1, • • • ,n — 1}, (ii) Vz G V, G £ iff j = i + k mod n, where 
1 < k < 2/+1. That is, for each node i G V , (i, (* + l) mod n),(j,(i + 2) mod n), (i, (i+ 
2f + 1) mod n) G E. 

The case when / = 1 and n = 4 results in a fully connected graph, which trivially satisfies 
Theorem [TJ The following results can be shown for two other specific chord networks: 

• When f = 2 and n = 7, the chord network does not satisfy Theorem [TJ 
Let V = {0, 1, 6}. Then the counter example is as follows: 

Let node 5,6 be faulty. Then consider L = {0,2} and R = {1,3,4}. This partition 
fails Theorem [TJ Obviously, L 7^ R, since \L\ < f + 1 = 3. However, R 7^ L, since 
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Nq n R = {3,4} and D R — {1,4}, which have size less than 3. Notice that 
this example also illustrate that connectivity of 2f + 1 by itself is not sufficient in an 
directed and symmetric network. 

• The Chord network with / = 1 and n = 5 satisfies Theorem [U 

7 Asynchronous Networks 

The above results can be generalized to derive necessary and sufficient condition for (totally) 
asynchronous network under which the algorithm defined in [5] would work correctly. In 
essence, the primary change is that the requirement of > /+1 incoming links in the definition 
of =>■ needs to be replaced by > 2f + 1 links. This implies that \N~\ > 3/ + 1 for each 
node i when / > and n, number of nodes, must exceed 5/. The above results can also be 
generalized to the (partially) asynchronous model defined in Section 7 of [I] that allows for 
message delay of up to B iterations. 

Full details of the above generalizations will be presented in a future technical report. 

8 Conclusion 

This paper proves a necessary and sufficient condition for the existence of iterative approx- 
imate consensus algorithm in arbitrary directed graphs. As a special case, our results can 
also be applied to undirected graphs. We also use the necessary and sufficient condition to 
determine whether such iterative algorithms exist for certain specific graphs. 

In our ongoing research, we are exploring extensions of the above results by relaxing some 
of the assumptions made in this work. 
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A Proof of Claim [3 



In this section, we will prove the claim [3] in Section |5j 
For each node i G V — J 7 , 

U[s]-Vi[s + l] > a l (U[s}-M) 

Proof: Similar to the proof of claim [2J we will first prove the following claim: 

Claim 4 For < t < I, for each node i G R T , 

U[s] -Vi[s + r] > a T (U[s} -M) (24) 

Proof of Claim [^}- The proof is by induction. 

Induction basis: For some r, < r < /, for each node i G R T , ( 1241 holds. By definition 
of M, the induction basis holds true for r = 0. 

Induction: Assume that the induction basis holds true for some r, < r < /. Consider R T+ \. 
Observe that R T and R T +i — R T form a partition of R r +i, let us consider each of these sets 
separately. 

• Set R T : By assumption, for each i G R T , fT2~4"j) holds true. By validity of Algorithm 1, 
U[s] > U[s + t]. Therefore, setting \1> = U[s] in Lemma HI we get, 

U[s] - Vi [s + r + 1] > Oi (U[s) -Vi[s + T)) 

> at a T {U[s] - M) due to ([21]) 

> a T+1 (U[s] — M) due to© 

• Set Rr+i — R T - Consider a node i G R T +i — R T - By definition of R T +i, we have that 
i G in(R T =3- L T ). Thus, 

\N~nR T \ >f + i 

In Algorithm 1, 2f values (/ smallest and / largest) received by node % are eliminated 
before V{[s + r + 1] is computed at the end of (s + r + l)-th iteration. Consider two 
possibilities: 
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— Value received from one of the nodes in Nf fl R T is not eliminated. Suppose that 
this value is received from fault-free node p G N[~ fl R T . Then, by an argument 
similar to the previous case, we can set \l/ = U[s] in Lemma HI to obtain, 



U[s]-Vi[s + T + 1] > a { {U[s)-v p [s + t)) 

> ai a T (U[s] - M) due to (J23D 

> a T+1 (U[s] -M) due to© 

— Values received from all (there are at least / + 1) nodes in N~ P\R T are eliminated. 
Note that in this case / must be non-zero (for / = 0, no value is eliminated, as 
already considered in the previous case). By Corollary El we know that each node 
must have at least 2f + 1 incoming edges. Since at least / + 1 values from nodes 
in N~ fl R T are eliminated, and there are at least 2f + 1 values to choose from, it 
follows that the values that are not eliminated are within the interval to which 
the values from N^C\R T belong. Thus, there exists a node k (possibly faulty) from 
whom node % receives some value - which is not eliminated - and a fault-free 
node p G N~ fl R T such that 

v p [s + r] > w k (25) 
Then by setting ^ = U[s] in Lemma H] we have 



U[s] -Vi[s + r + 1] > Oi(U[s]-Wk) 

> di (U[s) - v p [s + t)) due to ([2SD 

> a t a T {U[s] - M) due to ([24]) 

> a T+1 (U[s] - M) due to © 



Thus, we have shown that for all nodes in R T +i, 



U[s] - v t [s + t] > a T+1 {U[s\ - M) 
This completes the proof of Claim HJ 



Now, we are able to prove Claim [3j 

Proof of Claim El- 
Notice that by definition, Ri = V — J 7 . Then the proof follows by setting r = I in the 

above Claim HI 

□ 
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B Completing the proof of Lemma 
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The last line in the proof of Lemma [2] claims that: 

"Since Bk C B = B , A C and Bk propagates to Ak, it should be easy to see that B 
propagates to A." 

We now prove the correctness of this claim. 

Proof: Recall that A\ and Bi form a partition ofV — F. 

Let us define P = Pq = Bk and Q = Qo = A/-. Thus, P propagates to Q. Suppose that 
Po, Pi, ...P m and Qo, Qi, • • • , Qm are the propagating sequences in this case, with Pi and Qi 
forming a partition of P U Q = Ak U Bk = V — F. 

Let us define R = Rq = B and S = Sq = A. Note that R, S form a partition of 
A U B = V - F. Now, P = B k C B = R and S = A C A fe = Q„. Also, P - Po and S 
form a partition of Qq. Figure @] illustrates some of the sets used in this proof. 




Figure 4: Illustration for the proof of the last line in Lemma [2j In this figure, Rq = 
P U (P - Po) and Q = S U (P - P ). 

• Define Pi = P U (m(P =4> Q )), and P x = V - F - P x = Q - (m(P => Q )) Also, 
Pi = P U (m(Po 5 )), and Si = V - F - Pi = So - (m(P =4> S )). 

Since Po — Po and So are a partition of Qo, the nodes in m(P =>• Qo) belong to one 
of these two sets. Note that P — Po C P . Also, S fl m(P =>• Q ) ^= in(R =>■ S ). 
Therefore, it follows that P x = P U (m(P Q )) C P U (m(P =^ S )) = Pi- 

Thus, we have shown that, Pi C Pi. Then it follows that Si C Q\. 
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• For < i < m, let us define Ri+\ — R4U in(Ri ==> S{) and SVt-i — Si — in(Ri =>- Si). 
Then following an argument similar to the above case, we can inductively show that, 
Pi C Ri and Si C Qj. Due to the assumption on the length of the propagating sequence 
above, P m = PUQ = V-F. Thus, there must exist r < m, such that i? r = V — F 
and, for i < r, Ri 7^ V — F. 

The sequences R ,Ri, - ■ ■ ,R r and So, Si> • • • , S r form propagating sequences, proving 
that R = B propagates to S = A. 

□ 



C Proof of Lemma 4 



Proof: In (J2J), for each j G -/V*[i], consider two cases: 

• Either j = i or j G iV*[i] fl (V — J 7 ): Thus, j is fault-free. In this case, Wj = Vj[t — 1]. 
Therefore, fi[t - 1] < u>j < C/[t — 1]. 

• j is faulty: In this case, / must be non-zero (otherwise, all nodes are fault-free). From 
Corollary [3j |iV,~| > 2/ + 1. Then it follows that, in step 2 of Algorithm 1, the largest 
/ values in r»[t] contain the state of at least one fault-free node, say k. This implies 



that Vk[t — 1] > Wj. This, in turn, implies that U[t — 1] > 



Thus, for all j G {z} U N*[t], we have J7[t - 1] > Wj. Therefore, 

* - Wj > for all j G {i} U iV* [t] (26) 
Since weights in Equation [2] add to 1, we can re-write that equation as, 

*-«*[*] = ^(tt-i^) (27) 

je{i}uN*[t] 

> 04 (* - wj), Vj G {i} U iV*[i] from ([H 



For non-faulty j G {i} U -/V*[i], Wj = Vj[t — 1], therefore, 

> Qi (tf-v^t- 1]) (2* 



□ 
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